The benefits and importance of managing risks in SMEs
Managing risk in SMEs enables them to improve performance, accelerate growth and create sustainable long-term value. In addition, SMEs can also minimise losses and avoid catastrophic disruptions if they manage risk effectively and efficiently.
Source: Pixabay
All businesses and organisations implement strategies to achieve their goals and objectives. The achievement of such goals and objectives produces many benefits such as inter alia:
- Growth in revenues and market share
- Increased cash flows and easy access to funding and capital in the markets
- Streamlined and productive operations
- Good reputation and brand equity
- Motivated and competent staff
- Satisfied and happy customers
- Strong and healthy relationships with stakeholders
- Sustainable competitive advantage
- Agility that enables it to respond effectively to change
However, the pursuit of objectives and goals are accompanied by many risks. The success of businesses and organisations, including SMEs, in achieving their strategic goals and objectives is dependent on how effectively and efficiently they manage risk.
Moreover, in order to accelerate growth and create sustainable long-term value, SMEs must proactively and optimally take on more risks, subject to their risk appetite.
In other words, SMEs must determine whether the pursuit of goals, opportunities and objectives are worth the risk, whether the benefits will exceed the cost of the risks and whether the business has the competencies, resources and capabilities to mitigate the risks.
Example of how SMEs can manage risk
The current business environment requires that businesses must embrace digital transformation, i.e. to digitalise their operations in order to satisfy new customer demands, offer new products and services, automate processes, systems and operations to boost the quality of products and services, reduce cost, increase efficiencies, build agility and improve communication with customers, staff and other stakeholders, etc.
However, the pursuit of such a digital strategy comes with a high likelihood of cyber-attack risks in the form of data breaches, ransomware, viruses, locking of systems, etc.
The consequences and impact of such risk, if not adequately mitigated, are disruption of operations – like the widely publicised disruption of IT systems of Transnet due to cyber-attacks -, poor customer services, payment of ransom money, theft of data and intellectual property – Standard Bank recently had a data breach where customer records were exposed – and other assets, damage to reputation and brand, etc.
Therefore, it is in the SMEs best interest to identify risk and mitigate the impact of such risk. The benefits of managing this risk will far outweigh the cost of the risk.
Strategies to mitigate risk
SMEs must develop strategies to mitigate the risk identified. Strategies to mitigate the cyber-attack risks include developing and updating security policies, developing capabilities and acquiring resources to identify, prevent and control cyber-attacks, sensitise and train own staff and users about awareness of cyber risks and how to avoid falling victim to it, password controls, etc.
Responsibility of management
The management of SMEs is ultimately responsible for the identification and management of risk. Therefore, SMEs must develop and nurture a risk consciousness culture.
Risk management must be infused in strategic planning, decision-making, problem-solving and the day-to-day management of operations.
SMEs must at all times be aware and sensitive to all risks in the business. However, risk cannot be efficiently mitigated without knowing and understanding it adequately, with devastating consequences when failing to know and understand risks that the SMEs are exposed to.
In addition, SMEs must develop and implement a structured and robust process and methodology that enables them to identify strategic, operational, financial, compliance and other risks.
The outcome of such a risk management methodology is a risk register that sets out major identified and measured risks, action plans and the timing to mitigate such risks as well as the persons responsible for the implementation and outcome of the action plans.
The risk register must be regularly updated as risk constantly arises and changes in organisations. Such a risk register should become a top agenda item in executive committee and management meetings.
Structured risk management methodology
A structured risk management methodology is a documented series of steps, processes, systems, procedures, techniques, team roles and responsibilities and policy to enable management to identify, measure and assess risk, and develop robust actions plans to mitigate and manage enterprise risk.
Senior-, middle-, and lower management must fully participate in the risk management process as risks exist on all levels and have an effect on the business as a whole. A typical risk management methodology consists of the following summary steps:
- Management must formulate organisational goals and strategic objectives,
- Risks that will hinder the achievement of these goals and objectives must be identified and prioritised,
- Assessment /evaluation of the identified major risks in terms of impact/potential loss and likelihood/probability of occurrence,
- Identification of key, high-level management initiatives and controls to rely upon to effectively manage the identified major risks,
- High-level assessment of the perceived control effectiveness of the key, high-level management initiatives and controls currently in place,
- Development and implementation of potential high-level actions / initiatives to improve the control and management of the identified risks, and
- Assigning a risk owner to the implementation of the risk mitigation action plans.
This methodology will give rise to a risk register that must be communicated to all stakeholders, implemented and monitored on a regular basis.
Examples of areas where risk must be managed
The following are key risk areas in SMEs that must be monitored, assessed and managed on a regular basis:
- Customer services
- Marketing and sales
- Reputation and brand
- Competition
- Market
- Financial stability
- Credit, cash flow, interest rates and foreign exchange
- Assets
- Financial structure
- Reporting
- Business and financial controls, systems and processes
- Regulatory/statutory/legal
- Fraud and theft
- Human resources
- Operational
- Technical and technological
- Intellectual properties
- Information technology
- Information integrity and reliability
- Cyber-attacks and security
- Business continuity
- Change management
- Health and safety
- Buying or selling a business or business interest
- Stakeholders
- Political
- Social
- Economy
- Environmental
Poor risk management in SMEs is linked to high failure rates
Small- and medium-sized enterprises (SMEs) are seen as a panacea to South Africa’s growing unemployment. The National Development Plan forecasts that 90% of the 11m new jobs will come from the SME sector by 2030. However, research data shows that this may not be the case as the SME sector’s share of this new jobs growth in the private sector is disappointingly low.
SMEs are also expected to contribute significantly to the country’s GDP as approximately 95% of businesses consist of SMEs, like in other countries. The National Development Plan also forecast that by 2030, SMEs will contribute 60% to 80% of the GDP.
In contrast, SMEs actual contribution to GDP in SA is disproportionately low, according to the research data. This situation is a result of the exceptionally high failure rate of SMEs. Between 70% – 80% of SMEs do not survive past the first five years. Amongst the key reasons cited for this high failure rate is the lack of appropriate business skills and knowledge, according to a survey report of The SA Institute of Chartered Accountants.
Poor risk management is invariably linked to the high failure rate amongst SMEs. However, the effective and efficient management of enterprise risk management may enable SMEs to overcome this high failure rate. Unfortunately, effective risk management is among the key competencies that SMEs lack.
Therefore, the development of risk management skills and using such skills may go a long way in enabling SMEs to improve performances, accelerate growth and create sustainable long-term value for their stakeholders, as well as minimise losses and prevent small problems to escalate into crises.